CN111371549B - Message data transmission method, device and system - Google Patents

Abstract

The disclosure relates to a message data transmission method, a device and a system. The method comprises the following steps: determining a sending end identifier and a receiving end identifier of message data to be sent; determining a target tunnel identifier based on the sending end identifier and the receiving end identifier; extracting verification information from a tunnel table based on the target tunnel identifier; establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key; encrypting the message data through the session key to generate encrypted data; and sending the encrypted data to the receiving end through the target tunnel. The message data transmission method, the device and the system can overcome the problem of insufficient security in the existing terminal, and provide confidentiality and integrity protection for the transmission of the message data between the terminals.

Description

A message data transmission method, device and system

technical field

The present disclosure relates to the field of computer information processing, in particular, to a message data transmission method, device and system.

Background technique

In recent years, thanks to the support of national policies, China's new energy industry has developed rapidly. As the proportion of photovoltaic power generation in primary energy consumption continues to increase, its safe operation is becoming more and more important. Therefore, the power system also puts forward higher requirements for new energy access to the grid and related secondary protection. Among them, for the monitoring system not covered by the dispatching data network, such as load management, distribution network automation, and data communication of distributed power access, the power dedicated communication network is preferred. If the conditions are not available, the public communication network can also be used (not Including the Internet), wireless public network (GPRS, CDMA, WIFI, etc.) and other communication methods, if the above methods are used, security measures such as security isolation and encrypted transmission must be adopted.

At present, the application layer communication protocol (IEC-104) used by existing terminal equipment is often encrypted to ensure the safe operation of the data transmission network, thereby resisting hackers, malicious codes, etc. Malicious sabotage and attacks on the power grid monitoring system, as well as other illegal operations, prevent the power system from being paralyzed and out of control, and resulting in a grid system accident.

The above information disclosed in this Background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not form the prior art that is already known in the art to a person of ordinary skill in the art.

Contents of the invention

In view of this, the present disclosure provides a message data transmission method, device and system, which can overcome the problem of insufficient security in existing terminals, and provide confidentiality and integrity protection for message data transmission between terminals .

Other features and advantages of the present disclosure will become apparent from the following detailed description, or in part, be learned by practice of the present disclosure.

According to one aspect of the present disclosure, a message data transmission method is proposed, the method includes: determining the sender ID and the receiver ID of the message data to be sent; determining the target based on the sender ID and the receiver ID Tunnel identifier; extract verification information from the tunnel table based on the target tunnel identifier; establish a target tunnel between the sending end and the receiving end based on the verification information and generate a session key; pass the session secret Encrypt the message data with a key to generate encrypted data; send the encrypted data to the receiving end through the target tunnel.

In an exemplary embodiment of the present disclosure, determining the target tunnel ID based on the sender ID and the receiver ID includes: extracting a target policy from a policy table based on the sender ID and the receiver ID Action: when the target policy action is encryption processing, determine a target tunnel ID based on the sender ID and the receiver ID.

In an exemplary embodiment of the present disclosure, establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key includes: sending The end and the receiving end perform probe negotiation processing; after the sending end and the receiving end pass mutual verification, establish the target tunnel and generate the session key.

In an exemplary embodiment of the present disclosure, it further includes: generating the policy table through quintuple data between all receiving ends and all sending ends and corresponding policy actions; wherein, the quintuple data includes: Source address, destination address, protocol, source port, destination port.

In an exemplary embodiment of the present disclosure, it also includes: establishing the tunnel table based on the certificate information and secret keys of the current sending end and all receiving ends; wherein, the verification information includes: certificate information, negotiation period, detection cycle.

According to one aspect of the present disclosure, a packet data transmission method is proposed, the method includes: receiving a target tunnel establishment request from the sender; extracting verification information from the tunnel table based on the target tunnel identifier; Establishing a target tunnel between the sending end and the receiving end and generating a session key; receiving encrypted data based on the target tunnel; decrypting the encrypted data through the session key to generate message data.

In an exemplary embodiment of the present disclosure, it also includes: extracting quintuple data from the message data; judging whether the quintuple data satisfies a preset condition through a policy table, and when the preset condition is met , forwarding the packet data.

According to an aspect of the present disclosure, a message data transmission device is proposed, the device includes: a data module, used to determine the sender ID and receiver ID of the message data to be sent; a tunnel module, used to transmit based on the The terminal identification and the receiving terminal identification determine the target tunnel identification; the information module is used to extract the verification information from the tunnel table based on the target tunnel identification; the secret key module is used to use the verification information at the sending end based on the verification information Establish a target tunnel with the receiving end and generate a session key; an encryption module is used to encrypt the message data through the session key to generate encrypted data; a sending module is used to send the encrypted data sent to the receiving end through the target tunnel.

According to one aspect of the present disclosure, a packet data transmission device is proposed, the device includes: a request module, configured to receive a target tunnel establishment request from a sender; verification information; a building module for establishing a target tunnel between the sending end and a receiving end based on the verification information and generating a session key; a receiving module for receiving encrypted data based on the target tunnel; a decryption module, It is used to decrypt the encrypted data by using the session key to generate message data.

According to an aspect of the present disclosure, a message data transmission system is proposed, the system includes: a sender, used to determine the sender ID and the receiver ID of the message data to be sent; based on the sender ID and the The receiver identifies the target tunnel ID; extracts verification information from the tunnel table based on the target tunnel ID; establishes a target tunnel based on the verification information and the receiving end and generates a session key; through the session key pair The message data is encrypted to generate encrypted data; the encrypted data is sent to the receiving end through the target tunnel; and the receiving end is used to receive a target tunnel establishment request from the sending end; based on the target tunnel identifier Extracting verification information from the tunnel table; establishing a target tunnel based on the verification information and the sending end and generating a session key; receiving encrypted data based on the target tunnel; performing encryption on the encrypted data through the session key Decrypt to generate message data.

According to an aspect of the present disclosure, an electronic device is proposed, which includes: one or more processors; a storage device for storing one or more programs; when one or more programs are executed by one or more processors Execution causes one or more processors to implement the method as above.

According to one aspect of the present disclosure, a computer-readable medium is provided, on which a computer program is stored, and when the program is executed by a processor, the above method is realized.

According to the message data transmission method, device and system of the present disclosure, the sender ID and the receiver ID of the message data to be sent are determined; the target tunnel ID is determined based on the sender ID and the receiver ID; based on the The target tunnel identifier extracts the verification information from the tunnel table; establishes a target tunnel between the sending end and the receiving end based on the verification information and generates a session key; The data is encrypted to generate encrypted data; the method of sending the encrypted data to the receiving end through the target tunnel can overcome the problem of insufficient security existing in the existing terminals, and provide a guarantee for the transmission of message data between terminals. Confidentiality, integrity protection.

It is to be understood that both the foregoing general description and the following detailed description are exemplary only and are not restrictive of the present disclosure.

Description of drawings

The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail example embodiments thereof with reference to the accompanying drawings. The drawings described below are only some embodiments of the present disclosure, and those skilled in the art can obtain other drawings according to these drawings without creative efforts.

Fig. 1 is a system block diagram of a message data transmission method and device according to an exemplary embodiment.

Fig. 2 is a flow chart showing a method for transmitting packet data according to an exemplary embodiment.

Fig. 3 is a flow chart showing a method for transmitting packet data according to another exemplary embodiment.

Fig. 4 is a schematic diagram showing a method for transmitting packet data according to an exemplary embodiment.

Fig. 5 is a block diagram of a message data transmission device according to an exemplary embodiment.

Fig. 6 is a block diagram of a message data transmission device according to another exemplary embodiment.

Fig. 7 is a block diagram of an electronic device according to an exemplary embodiment.

Fig. 8 is a block diagram showing a computer readable medium according to an exemplary embodiment.

Detailed ways

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus their repeated descriptions will be omitted.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided in order to give a thorough understanding of embodiments of the present disclosure. However, those skilled in the art will appreciate that the technical solutions of the present disclosure may be practiced without one or more of the specific details, or other methods, components, means, steps, etc. may be employed. In other instances, well-known methods, apparatus, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

The block diagrams shown in the drawings are merely functional entities and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices entity.

The flow charts shown in the drawings are only exemplary illustrations, and do not necessarily include all contents and operations/steps, nor must they be performed in the order described. For example, some operations/steps can be decomposed, and some operations/steps can be combined or partly combined, so the actual order of execution may be changed according to the actual situation.

It will be understood that although the terms first, second, third etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one component from another. Thus, a first component discussed below could be termed a second component without departing from the teachings of the disclosed concepts. As used herein, the term "and/or" includes any one and all combinations of one or more of the associated listed items.

Those skilled in the art can understand that the drawings are only schematic diagrams of exemplary embodiments, and the modules or processes in the drawings are not necessarily necessary for implementing the present disclosure, and thus cannot be used to limit the protection scope of the present disclosure.

Fig. 1 is a system block diagram showing a message data transmission method, device and system according to an exemplary embodiment.

As shown in FIG. 1 , the system architecture 10 may include sending terminal devices 101 , 102 , a network 103 and receiving terminal devices 104 , 105 . The network 103 is used as a medium for providing communication links between the sending terminal devices 101 , 102 and the receiving terminal devices 104 , 105 . Network 103 may include various connection types, such as wireless communication links or fiber optic cables, among others.

Users can use the sending terminal devices 101, 102 to interact with the receiving terminal devices 104, 105 through the network 104 to receive or send messages and the like. Various communication client applications can be installed on the sending terminal devices 101, 102 and receiving terminal devices 104, 105, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social platform software, etc. .

The sending terminal devices 101, 102 and receiving terminal devices 104, 105 can be various electronic devices with display screens and supporting web browsing, including but not limited to smart phones, tablet computers, laptop computers and desktop computers, etc.

It can be understood that the numbers of terminal devices and networks in FIG. 1 are only illustrative. According to the implementation requirements, there can be any number of terminal devices and networks. For example, the sending terminal device 102 may be a server cluster composed of multiple servers or a system composed of multiple terminals.

The sending terminal devices 101, 102 may, for example, determine the sending end identifier and the receiving end identifier of the message data to be sent; the sending terminal devices 101, 102 may, for example, determine the target tunnel identifier based on the sending end identifier and the receiving end identifier; The terminal devices 101 and 102 may, for example, extract verification information from the tunnel table based on the target tunnel identifier; the sending terminal devices 101 and 102 may, for example, establish a target between the sending end and the receiving end based on the verification information. tunnel and generate a session key; sending terminal devices 101, 102 can, for example, encrypt the message data through the session key to generate encrypted data; sending terminal devices 101, 102 can, for example, pass the encrypted data through the The target tunnel is sent to the receiving end.

Receiving terminal devices 104, 105 may, for example, receive a target tunnel establishment request from the sending end; receiving terminal devices 104, 105 may, for example, extract verification information from the tunnel table based on the target tunnel identifier; receiving terminal devices 104, 105 may, for example, based on the verification information The verification information establishes a target tunnel between the sending end and the receiving end and generates a session key; the receiving terminal device 104, 105 can, for example, receive encrypted data based on the target tunnel; the receiving terminal device 104, 105 can, for example, based on the target The tunnel receives encrypted data.

It should be noted that the message data transmission method provided by the embodiment of the present disclosure can be executed by the sending terminal equipment 101, 102 and the receiving terminal equipment 104, 105, and correspondingly, the message data transmission device can be set on the sending terminal equipment 101, 102 and receiving terminal equipment 104,105.

Fig. 2 is a flow chart showing a method for transmitting packet data according to an exemplary embodiment. The message data transmission method 20 is a description of the processing process of the sending end device, and the message data transmission method 20 includes at least steps S202 to S212.

As shown in FIG. 2 , in S202 , determine the identifier of the sending end and the identifier of the receiving end of the message data to be sent. Wherein, the packet protocol may be any one of TCP, UDP, and ICMP.

In S204, determine a target tunnel identifier based on the sender identifier and the receiver identifier. The method includes: extracting a target policy action from a policy table based on the sender ID and the receiver ID; when the target policy action is encryption processing, determining a target tunnel ID based on the sender ID and the receiver ID .

Extract matching information and action information from the policy table. Wherein, the matching information is IP quintuple information, and the user can specify a specific data flow based on the IP quintuple, that is, when the sending and receiving devices meet the condition, the action specified by the policy will be executed. There are two types of results for policy actions, clear pass or encryption processing. When the matching result is encryption processing, the tunnel information and session key referenced by the policy will be obtained and the data will be sent to the encryption and decryption module for encryption processing.

The purpose of the access policy is to allow the user to specify which servers the terminal communicates with which need to be transmitted in ciphertext, which communications can be transmitted in plaintext, and other accesses are not allowed. The policy table and tunnel table need to be configured on both the sending end and the receiving end. When the access policy configuration is successful and the tunnel negotiation is completed, when there is data flow passing by, the encryption module will divide the data according to the access policy. If data encryption is required, Then the data is sent to the corresponding tunnel, and the session key negotiated by the tunnel is used for encryption processing. After the encryption is completed, the ciphertext data is sent to the peer. After receiving the ciphertext data, the peer encryption device will use the session key to decrypt the data. Processing and forwarding of the plaintext data, through this method, the data always exists in the form of ciphertext during the intermediate transmission process, ensuring the safety and reliability of the data.

In S206, the verification information is extracted from the tunnel table based on the target tunnel identifier. Among them, the target tunnel is used to specify the peer information of the link, including basic information such as peer IP address and peer certificate. After the tunnel configuration is successful, tunnel negotiation starts. The negotiation process will use the peer public key to encrypt and use the local The private key is used to sign (support SM2 encryption algorithm), which is used to ensure the security and reliability of the negotiation process. The tunnel negotiation process will generate a true random number, and after a certain algorithm operation, the session key for this connection will be finally generated. Because The basis of session key generation is the calculation of true random numbers temporarily generated by both ends, so the session key can be guaranteed to be safe and reliable, and will not be pre-obtained by a third party.

In S208, a target tunnel is established between the sending end and the receiving end based on the verification information, and a session key is generated. Including: the sending end and the receiving end perform detection negotiation processing based on the verification information; after the sending end and the receiving end pass mutual verification, establish the target tunnel and generate the session secret key.

In S210, encrypt the message data by using the session key to generate encrypted data.

Among them, the encryption can be performed through the encryption module, and the encryption module can run on the basic operating system platform of the device formed by tailoring the Linux kernel and simplifying the file system. The tailored system only retains the necessary management commands and system services, takes up less space, starts faster, and runs more stably; the open port of the tailored system is only the password service, and the remote security configuration management function minimizes The possible system loopholes have been eliminated, and the security of the operating system has also been effectively enhanced.

The encryption module can support the cryptographic algorithms approved by the State Cryptography Administration, and the cryptographic algorithms used include symmetric encryption algorithms, asymmetric algorithms, hash algorithms and random number generation algorithms. The symmetric encryption algorithm is used for data encryption, using the power-specific block encryption algorithm specified by the State Secret Office, with a block length of 128 bits and a key length of 128 bits. Asymmetric algorithms are used for digital signatures and digital envelopes, using the 256-bit SM2 algorithm required by the State Secret Office. The hash algorithm is used for data integrity verification, using the SM3 algorithm.

In S212, send the encrypted data to the receiving end through the target tunnel. For example, data encryption is performed on the original IP packet header and port number, and the external IP packet header and ESP information are added to generate an encrypted packet, and the encrypted packet is forwarded to the receiving end device.

According to the message data transmission method of the present disclosure, the sender ID and the receiver ID of the message data to be sent are determined; the target tunnel ID is determined based on the sender ID and the receiver ID; based on the target tunnel ID, the Extracting verification information from the tunnel table; establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key; encrypting the message data by using the session key, Generating encrypted data; sending the encrypted data to the receiving end through the target tunnel can overcome the problem of insufficient security in existing terminals, and provide confidentiality and integrity for the transmission of message data between terminals. sexual protection.

It should be clearly understood that this disclosure describes how to make and use specific examples, but that the principles of the disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.

Fig. 3 is a flow chart showing a method for transmitting packet data according to another exemplary embodiment. The message data transmission method 30 is a description of the processing process of the receiving end device, and the message data transmission method 30 includes at least steps S302 to S310.

As shown in FIG. 3, in S302, a target tunnel establishment request from a sender is received.

In S304, the verification information is extracted from the tunnel table based on the target tunnel identifier.

In S306, a target tunnel is established between the sending end and the receiving end based on the verification information and a session key is generated.

In S308, the encrypted data is received based on the target tunnel.

In S310, the encrypted data is decrypted by using the session key to generate message data.

In one embodiment, it also includes: extracting 5-tuple data from the message data; judging whether the 5-tuple data satisfies a preset condition through the policy table, and when the preset condition is met, the message is The data is forwarded.

Extract matching information and action information from the policy table. Wherein, the matching information is IP quintuple information, and the user can specify a specific data flow based on the IP quintuple, that is, when the sending and receiving devices meet the condition, the action specified by the policy will be executed. There are two types of results for policy actions, clear pass or encryption processing. When the matching result is encryption processing, the tunnel information and session key referenced by the policy will be obtained and the data will be sent to the encryption and decryption module for encryption processing.

For example, the five-tuple data can be used to specify between sending device A and receiving device B, and the policy action is encryption processing, then when sending device A sends message data to receiving device B, the data will be encrypted before sending. Similarly, the five-tuple data can be used to specify between the sending device C and the receiving device D, and the policy action is clear pass, then when the sending device C sends message data to the receiving device D, the data is sent directly without encryption.

According to the message data transmission method of the present disclosure, a target tunnel establishment request from the sending end is received; verification information is extracted from the tunnel table based on the target tunnel identifier; and a target tunnel is established between the sending end and the receiving end based on the verification information. Tunneling and generating a session key; receiving encrypted data based on the target tunnel; decrypting the encrypted data through the session key to generate message data, which can overcome the problem of insufficient security in existing terminals , providing confidentiality and integrity protection for the transmission of message data between terminals.

Fig. 4 is a schematic diagram showing a method for transmitting packet data according to an exemplary embodiment. Fig. 4 exemplarily illustrates an example of adding content to the tunnel table and the policy table.

In one embodiment, it also includes: generating the policy table through the five-tuple data between all receiving ends and all sending ends and their corresponding policy actions; wherein, the five-tuple data includes: source address, destination address, protocol, source port, destination port.

In the system, add a policy entry for any device on both sides (sending side and receiving side), and the entry can include IP address, port number, protocol number (such as TCP, UDP, ICMP).

Since data encryption and decryption exist in pairs, for a pair of encryption devices (sending side and receiving side), configuring policies for each service can be understood as configuring a policy for one service. Multiple policies can be configured on the device, and these policies are independent of each other. All policies are usually managed in a table. This table is called a policy table, and each policy in it is an entry, that is, a policy entry.

Furthermore, the information in the policy table is divided into two parts: matching information and action information. The matching information is IP quintuple information, which allows the user to specify a specific data flow based on the IP quintuple (source IP, destination IP, protocol, source port, and destination port). When the condition is met, the policy action is executed. There are two types of results for policy actions, clear pass or encryption processing. When the matching result is encryption processing, the tunnel information and session key referenced by the policy will be obtained and the data will be sent to the encryption and decryption module for encryption processing.

In one embodiment, it also includes: establishing the tunnel table based on the certificate information and secret keys of the current sending end and all receiving ends; wherein, the verification information includes: certificate information, negotiation period, and detection period.

The tunnel table mainly includes the peer IP address and peer certificate information, as well as auxiliary information such as negotiation period and detection period. When the tunnel configuration is successful, the sending device and the receiving device will perform detection negotiation processing. After the two sides verify the certificate and key with each other successfully, the tunnel connection will be successfully established and a session key will be generated, which will be used for later communication encryption and decryption. deal with.

Those skilled in the art can understand that all or part of the steps for implementing the above embodiments are implemented as computer programs executed by a CPU. When the computer program is executed by the CPU, the above-mentioned functions defined by the above-mentioned methods provided in the present disclosure are executed. The program can be stored in a computer-readable storage medium, which can be a read-only memory, a magnetic disk or an optical disk, and the like.

In addition, it should be noted that the above-mentioned figures are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It is easy to understand that the processes shown in the above figures do not imply or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be executed synchronously or asynchronously in multiple modules, for example.

The following are device embodiments of the present disclosure, which can be used to implement the method embodiments of the present disclosure. For details not disclosed in the disclosed device embodiments, please refer to the disclosed method embodiments.

Fig. 5 is a block diagram of a message data transmission device according to an exemplary embodiment. As shown in FIG. 5 , the packet data transmission device 50 includes: a data module 502 , a tunnel module 504 , an information module 506 , a secret key module 508 , an encryption module 510 , and a sending module 512 .

The data module 502 is used to determine the identifier of the sending end and the identifier of the receiving end of the message data to be sent; wherein, the message protocol can be any one of TCP, UDP, and ICMP.

The tunnel module 504 is configured to determine a target tunnel identifier based on the sender identifier and the receiver identifier; including: extracting a target policy action from a policy table based on the sender identifier and the receiver identifier; When the action is encryption processing, the target tunnel identifier is determined based on the sender identifier and the receiver identifier.

The information module 506 is used to extract verification information from the tunnel table based on the target tunnel identifier; wherein, the target tunnel is used to specify link peer information, including basic information such as peer IP address and peer certificate. After the tunnel configuration is successful, , and start tunnel negotiation. During the negotiation process, the public key of the remote end will be used for encryption and the private key of the local end will be used for signature.

The key module 508 is configured to establish a target tunnel between the sending end and the receiving end based on the verification information and generate a session key; including: the sending end and the receiving end based on the verification information Probe negotiation processing is performed; after the sending end and the receiving end pass mutual verification, the target tunnel is established and the session key is generated.

The encryption module 510 is used to encrypt the message data through the session key to generate encrypted data; wherein, the encryption module can be used to encrypt, and the encryption module can run on the basis of the device formed by cutting the Linux kernel and streamlining the file system operating system platform.

The sending module 512 is configured to send the encrypted data to the receiving end through the target tunnel. For example, data encryption is performed on the original IP packet header and port number, and the external IP packet header and ESP information are added to generate an encrypted packet, and the encrypted packet is forwarded to the receiving end device.

Fig. 6 is a block diagram of a message data transmission device according to another exemplary embodiment. As shown in FIG. 6 , the packet data transmission device 60 includes: a request module 602 , a verification module 604 , a creation module 606 , a receiving module 608 , and a decryption module 610 .

The request module 602 is configured to receive a target tunnel establishment request from the sender;

The verification module 604 is configured to extract verification information from the tunnel table based on the target tunnel identifier;

The establishing module 606 is configured to establish a target tunnel between the sending end and the receiving end based on the verification information and generate a session key;

The receiving module 608 is configured to receive encrypted data based on the target tunnel;

The decryption module 610 is configured to decrypt the encrypted data by using the session key to generate message data.

According to the message data transmission device of the present disclosure, the sender ID and the receiver ID of the message data to be sent are determined; the target tunnel ID is determined based on the sender ID and the receiver ID; based on the target tunnel ID, the Extracting verification information from the tunnel table; establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key; encrypting the message data by using the session key, Generating encrypted data; sending the encrypted data to the receiving end through the target tunnel can overcome the problem of insufficient security in existing terminals, and provide confidentiality and integrity for the transmission of message data between terminals. sexual protection.

Fig. 7 is a block diagram of an electronic device according to an exemplary embodiment.

An electronic device 700 according to this embodiment of the present disclosure is described below with reference to FIG. 7 . The electronic device 700 shown in FIG. 7 is only an example, and should not limit the functions and scope of use of the embodiments of the present disclosure.

As shown in FIG. 7, electronic device 700 takes the form of a general-purpose computing device. Components of the electronic device 700 may include, but are not limited to: at least one processing unit 710, at least one storage unit 720, a bus 730 connecting different system components (including the storage unit 720 and the processing unit 710), a display unit 740, and the like.

Wherein, the storage unit stores program codes, and the program codes can be executed by the processing unit 710, so that the processing unit 710 executes various exemplary methods according to the present disclosure described in the above-mentioned part of the electronic prescription circulation processing method in this specification. Implementation steps. For example, the processing unit 710 may execute the steps shown in FIG. 2 and FIG. 3 .

The storage unit 720 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 7201 and/or a cache storage unit 7202 , and may further include a read-only storage unit (ROM) 7203 .

The storage unit 720 may also include a program/utility tool 7204 having a set (at least one) of program modules 7205, such program modules 7205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the implementation of the network environment.

Bus 730 may represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local area using any of a variety of bus structures. bus.

The electronic device 700 may also communicate with one or more external devices 700' (such as keyboards, pointing devices, Bluetooth devices, etc.), and may also communicate with one or more devices that enable a user to interact with the electronic device 700, and/or Communicates with any device (eg, router, modem, etc.) that enables the electronic device 700 to communicate with one or more other computing devices. Such communication may occur through input/output (I/O) interface 750 . Moreover, the electronic device 700 can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 760 . The network adapter 760 can communicate with other modules of the electronic device 700 through the bus 730 . It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.

Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, as shown in FIG. 8, the technical solution according to the embodiment of the present disclosure can be embodied in the form of a software product, and the software product can be stored in a non-volatile storage medium (which can be a CD-ROM, a U disk, a mobile hard disk, etc.) etc.) or on the network, including several instructions to make a computing device (which may be a personal computer, server, or network device, etc.) execute the above method according to the embodiments of the present disclosure.

The software product may utilize any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

The computer readable storage medium may include a data signal carrying readable program code in baseband or as part of a carrier wave traveling as a data signal. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable storage medium may also be any readable medium other than a readable storage medium that can send, propagate or transport a program for use by or in conjunction with an instruction execution system, apparatus or device. The program code contained on the readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, cable, optical cable, RF, etc., or any suitable combination of the above.

Program code for performing the operations of the present disclosure may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language - such as "C" or a similar programming language. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute. In cases involving a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (e.g., using an Internet service provider). business to connect via the Internet).

The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by one of the devices, the computer-readable medium realizes the following functions: determine the identification of the sending end of the message data to be sent and receive end identifier; determine the target tunnel identifier based on the sender identifier and the receiver identifier; extract verification information from the tunnel table based on the target tunnel identifier; Establishing a target tunnel between the terminals and generating a session key; encrypting the message data with the session key to generate encrypted data; sending the encrypted data to the receiving end through the target tunnel.

Those skilled in the art can understand that the above-mentioned modules can be distributed in the device according to the description of the embodiment, and corresponding changes can also be made in one or more devices that are only different from the embodiment. The modules in the above embodiments can be combined into one module, and can also be further split into multiple sub-modules.

Through the description of the above embodiments, those skilled in the art can easily understand that the exemplary embodiments described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, server, mobile terminal, or network device, etc.) execute the method according to the embodiment of the present disclosure.

Exemplary embodiments of the present disclosure have been specifically shown and described above. It should be understood that the disclosure is not limited to the detailed structures, arrangements or methods of implementation described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (6)

1. A message data transmission method, characterized in that, Contains the steps applied to the sender: Determine the sender ID and the receiver ID of the message data to be sent; Determining the target tunnel identifier based on the sender identifier and the receiver identifier, specifically includes: Extracting a target policy action from a policy table based on the sender ID and the receiver ID, and determining a target tunnel ID based on the sender ID and the receiver ID when the target policy action is encryption processing; The specific action of extracting the target policy from the policy table is as follows: Extract matching information and action information from the policy table, Among them, the matching information is IP quintuple information, and a specific data flow is specified based on the IP quintuple. When the sending and receiving devices meet the corresponding conditions, the action specified by the policy is executed. Among them, the policy action has two results, clear pass or encryption processing. When the matching result is encryption processing, the tunnel information and session key referenced by the policy will be obtained and the data will be sent to the encryption and decryption module for encryption processing; Based on the target tunnel ID, the verification information is extracted from the tunnel table, where the target tunnel is used to specify the peer information of the link. After the tunnel configuration is successful, the tunnel negotiation will start. The negotiation process will use the peer public key to encrypt and use The private key of the local end is signed, and the tunnel negotiation process will generate a true random number, and the session key of this connection will be finally generated through algorithm operation; Establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key specifically includes: performing detection negotiation processing based on the verification information, the sending end and the receiving end, After the sending end and the receiving end pass mutual verification, establish the target tunnel and generate the session key; Encrypting the message data by using the session key to generate encrypted data; sending the encrypted data to the receiving end through the target tunnel; The message data transmission method also includes steps applied to the receiving end: Receive a target tunnel establishment request from the sender; Extract verification information from the tunnel table based on the target tunnel identifier; Establishing a target tunnel between the sending end and the receiving end based on the verification information and generating a session key; receiving encrypted data based on the target tunnel; The encrypted data is decrypted by the session key to generate message data. 2. The method of claim 1, further comprising: Generate the policy table through the five-tuple data between all receivers and all senders and their corresponding policy actions; Wherein, the quintuple data includes: source address, destination address, protocol, source port, and destination port. 3. The method of claim 1, further comprising: Establishing the tunnel table based on the certificate information and secret keys of the current sender and all receivers; Wherein, the verification information includes: certificate information, negotiation period, and detection period. 4. The method of claim 1, further comprising: extracting quintuple data from the message data; Whether the quintuple data satisfies a preset condition is judged through the policy table, and when the preset condition is met, the message data is forwarded. 5. A message data transmission device, suitable for a message data transmission method as claimed in claim 1, comprising devices applied to the sending end and the receiving end respectively, characterized in that the device applied to the sending end include: The data module is used to determine the identifier of the sending end and the identifier of the receiving end of the message data to be sent; A tunnel module, configured to determine a target tunnel identifier based on the sender identifier and the receiver identifier; An information module, configured to extract verification information from a tunnel table based on the target tunnel identifier; A secret key module, configured to establish a target tunnel between the sending end and the receiving end based on the verification information and generate a session key; An encryption module, configured to encrypt the message data through the session key to generate encrypted data; a sending module, configured to send the encrypted data to the receiving end through the target tunnel; The device applied to the receiving end includes; A request module, configured to receive a target tunnel establishment request from the sender; A verification module, configured to extract verification information from the tunnel table based on the target tunnel identifier; An establishment module, configured to establish a target tunnel between the sending end and the receiving end based on the verification information and generate a session key; a receiving module, configured to receive encrypted data based on the target tunnel; A decryption module, configured to decrypt the encrypted data by using the session key to generate message data. 6. A message data transmission system, suitable for a message data transmission method as claimed in claim 1, characterized in that, comprising: The sending end is used to determine the sending end ID and the receiving end ID of the message data to be sent; determine the target tunnel ID based on the sending end ID and the receiving end ID; extract the calibration key from the tunnel table based on the target tunnel ID verification information; establish a target tunnel based on the verification information and the receiving end and generate a session key; encrypt the message data through the session key to generate encrypted data; pass the encrypted data through the the target tunnel is sent to the receiver; and The receiving end is used to receive the target tunnel establishment request from the sending end; extract verification information from the tunnel table based on the target tunnel identifier; establish a target tunnel and generate a session key based on the verification information and the sending end; The target tunnel receives encrypted data; the encrypted data is decrypted by the session key to generate message data.

Images